HackTricks
Vigezo visivyoanzishwa
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Taarifa za Msingi
Wazo kuu hapa ni kuelewa kinachotokea na vigezo visivyoanzishwa kwani vita kuwa na thamani iliyokuwa tayari kwenye kumbukumbu iliyowekwa kwao. Mfano:
- Function 1:
initializeVariable: Tunatangaza kigezoxna kukipa thamani, wacha sema0x1234. Hatua hii ni sawa na kuhifadhi nafasi kwenye kumbukumbu na kuweka thamani maalum huko. - Function 2:
useUninitializedVariable: Hapa, tunatangaza kigezo kingineylakini hatukimpi thamani. Katika C, vigezo visivyoanzishwa havijiweki sifuri moja kwa moja. Badala yake, vinabaki na thamani yoyote iliyohifadhiwa mwisho kwenye eneo lao la kumbukumbu.
Tunanapotekeleza kazi hizi mbili mfululizo:
- Katika
initializeVariable,xanapatiwa thamani (0x1234), ambayo inachukua anwani ya kumbukumbu maalum. - Katika
useUninitializedVariable,yinatangazwa lakini haipangiwi thamani, hivyo inachukua nafasi ya kumbukumbu mara baada yax. Kwa sababu haijatolewa uanzishaji kway, hatimaye “inakurithi” thamani kutoka eneo lile lile la kumbukumbu lililotumika nax, kwa sababu hiyo ndiyo thamani ya mwisho iliyokuwepo.
Tabia hii inaonyesha dhana muhimu katika programu za kiwango cha chini: usimamizi wa kumbukumbu ni muhimu, na vigezo visivyoanzishwa vinaweza kusababisha tabia zisizotarajiwa au udhaifu wa usalama, kwa kuwa vinaweza bila kukusudia kushikilia data nyeti zilizoachwa katika kumbukumbu.
Vigezo visivyoanzishwa kwenye stack vinaweza kuleta hatari kadhaa za usalama kama:
- Data Leakage: Taarifa nyeti kama nywila, funguo za encryption, au taarifa za binafsi zinaweza kufichuka ikiwa zimetumika kwenye vigezo visivyoanzishwa, zikimruhusu mshambulizi kusoma data hiyo.
- Information Disclosure: Yaliyomo kwenye vigezo visivyoanzishwa yanaweza kufichua maelezo kuhusu mpangilio wa kumbukumbu ya programu au taratibu za ndani, zikiwa msaada kwa washambuliaji kuendeleza exploits zilizoelekezwa.
- Crashes and Instability: Operesheni zinazohusisha vigezo visivyoanzishwa zinaweza kusababisha tabia isiyoeleweka (undefined behavior), ikileta kufungwa kwa programu au matokeo yasiyotabirika.
- Arbitrary Code Execution: Katika baadhi ya matukio, washambuliaji wanaweza kutumia udhaifu huu kubadilisha mtiririko wa utekelezaji wa programu, kuwafanya watekeleze code yoyote wanayotaka, ambayo inaweza kujumuisha vitisho vya remote code execution.
Mfano
#include <stdio.h>
// Function to initialize and print a variable
void initializeAndPrint() {
int initializedVar = 100; // Initialize the variable
printf("Initialized Variable:\n");
printf("Address: %p, Value: %d\n\n", (void*)&initializedVar, initializedVar);
}
// Function to demonstrate the behavior of an uninitialized variable
void demonstrateUninitializedVar() {
int uninitializedVar; // Declare but do not initialize
printf("Uninitialized Variable:\n");
printf("Address: %p, Value: %d\n\n", (void*)&uninitializedVar, uninitializedVar);
}
int main() {
printf("Demonstrating Initialized vs. Uninitialized Variables in C\n\n");
// First, call the function that initializes its variable
initializeAndPrint();
// Then, call the function that has an uninitialized variable
demonstrateUninitializedVar();
return 0;
}
How This Works:
initializeAndPrintFunction: Kazi hii inatangaza variable ya intinitializedVar, inampa thamani100, kisha inachapisha anwani ya kumbukumbu pamoja na thamani yake. Hatua hii ni rahisi na inaonyesha jinsi variable iliyosakinishwa inavyofanya kazi.demonstrateUninitializedVarFunction: Katika kazi hii, tunatangaza variable ya intuninitializedVarbila kuisakinisha. Tunapojaribu kuchapisha thamani yake, output inaweza kuonyesha namba ya nasibu. Namba hii inaonyesha data yoyote iliyokuwapo hapo kabla kwenye eneo hilo la kumbukumbu. Kulingana na environment na compiler, output halisi inaweza kubadilika, na wakati mwingine, kwa usalama, baadhi ya compilers zinaweza kuanza variables kwa zero, ingawa hiyo haipaswi kutegemewa.mainFunction:maininaita kazi zote mbili hapo juu kwa mfululizo, ikionyesha tofauti kati ya variable iliyosakinishwa na ile isiyosakinishwa.
Practical exploitation patterns (2024–2025)
The classic “read-before-write” bug remains relevant because modern mitigations (ASLR, canaries) often rely on secrecy. Typical attack surfaces:
- Partially initialized structs copied to userland: Kernel or drivers mara nyingi
memsettu field ya length kishacopy_to_user(&u, &local_struct, sizeof(local_struct)). Padding na field zisizotumika leak stack canary halves, saved frame pointers au kernel pointers. Ikiwa struct ina function pointer, kuiacha isiyosakinishwa inaweza pia kuruhusu controlled overwrite wakati itakapotumika tena. - Uninitialized stack buffers reused as indexes/lengths: Uninitialized
size_t len;iliyotumika kufungaread(fd, buf, len)inaweza kuwapa attackers out-of-bounds reads/writes au kuruhusu kupitisha checks za size wakati stack slot bado ina value kubwa kutoka kwenye call ya awali. - Compiler-added padding: Hata wakati members binafsi zimesakinishwa, implicit padding bytes kati yao hazijaisakinisha. Copying the whole struct to userland leaks padding ambayo mara nyingi ina prior stack content (canaries, pointers).
- ROP/Canary disclosure: Ikiwa function inakwaziya local struct kwa stdout kwa debugging, uninitialized padding inaweza kufichua stack canary na kuwezesha subsequent stack overflow exploitation bila brute-force.
Minimal PoC pattern to detect such issues during review:
struct msg {
char data[0x20];
uint32_t len;
};
ssize_t handler(int fd) {
struct msg m; // never fully initialized
m.len = read(fd, m.data, sizeof(m.data));
// later debug helper
write(1, &m, sizeof(m)); // leaks padding + stale stack
return m.len;
}
Kupunguza hatari & compiler options (zingatia wakati wa kuzivusha)
- Clang/GCC auto-init: Recent toolchains expose
-ftrivial-auto-var-init=zeroor-ftrivial-auto-var-init=pattern, filling every automatic (stack) variable at function entry with zeros or a poison pattern (0xAA / 0xFE). Hii inazuia uninitialized-stack info leaks nyingi na inafanya exploitation kuwa ngumu kwa kubadilisha siri kuwa thamani zinazojulikana. - Linux kernel hardening: Kernels built with
CONFIG_INIT_STACK_ALLor the newerCONFIG_INIT_STACK_ALL_PATTERNzero/pattern-initialize every stack slot at function entry, wiping canaries/pointers that would otherwise leak. Tafuta distros zinazotuma kernels zilizojengwa kwa Clang zikiwa na chaguo hizi zimewezeshwa (zimekawa kawaida katika 6.8+ hardening configs). - Opt-out attributes: Clang now allows
__attribute__((uninitialized))on specific locals/structs to keep performance-critical areas uninitialized even when global auto-init is enabled. Kagua anotations kama hizi kwa makini—mara nyingi zinaonyesha attack surface iliyokusudiwa kwa side channels.
Kutoka mtazamo wa attacker, kujua kama binary ilijengwa na flags hizi kunaamua kama stack-leak primitives zinafaa au kama lazima uhamie kwa heap/data-section disclosures.
Kutafuta bugs za uninitialized-stack haraka
- Compiler diagnostics: Jenga na
-Wall -Wextra -Wuninitialized(GCC/Clang). Kwa code ya C++,clang-tidy -checks=cppcoreguidelines-init-variablesita-rekebisha kiotomatiki kesi nyingi kwa zero-init na ni muhimu kugundua locals zilizopitwa wakati wa audit. - Dynamic tools:
-fsanitize=memory(MSan) in Clang au Valgrind’s--track-origins=yeshuonyesha kwa uhakika kusoma bytes za stack ambazo hazijafafanuliwa wakati wa fuzzing. Wezesha test harnesses kwa zana hizi ili kuibua padding leaks ndogo. - Grepping patterns: Katika reviews, tafuta
copy_to_user/writecalls za structs nzima, aumemcpy/sendza data ya stack ambapo sehemu tu ya struct imewekwa. Lipa umakini maalum kwa error paths ambapo initialization inarukwa.
Mfano wa ARM64
Hili halibadiliki hata kidogo katika ARM64 kwani local variables pia zinashughulikiwa kwenye stack, unaweza check this example ambapo hili linaonyeshwa.
Marejeo
- CONFIG_INIT_STACK_ALL_PATTERN documentation
- GHSL-2024-197: GStreamer uninitialized stack variable leading to function pointer overwrite
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.